Jul 9, 2020
This article will go over how to install and configure your SSL certificate in Tomcat. You will need either a Personal Information Exchange (.pfx) or a Java Keystore (.jks) file to configure your server. To get a .pfx file, order an SSL certificate. To get a .jks file, follow our Java Keytool - Create Keystore instructions and provide your own CSR during the ordering process.
You can watch the video below for a tutorial.
Or, you can check the step by step guidelines below.
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS"keyAlias="server" keystoreFile="/home/user_name/your_site_name.jks" keystorePass="your_keystore_password" />
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/mydomain.pfx" keystorePass="your_keystore_password" keystoreType="PKCS12"/>
1. java.io.IoException: keystore was tampered with, or password was incorrect
This error may occur during installation. You may receive this error message if the password is entered into the Connector className instead of the factory className. Enter the password into the correct field to resolve the error.
If you cannot remember your password then your certificate must be reissued.
Keystore Tampered With
If the password is entered properly the issue may be with the keystore. Check if the correct keystore alias was used and if the keystore exists. If the key store is corrupted then a new keystore needs to be created, a new private key generated, and the certificate reissued.
2. java.security.UnrecoverableKeyException: Cannot recover key
This error occurs when the keystore and keyEntry passwords are different. To resolve this issue, you must remove all traces of the past certificate and request the file.
You must generate a new keystore, keyEntry and CSR. You must also specify the same password for the keystore and the keyEntry.
3. java.security.cert.CertificateParsingException: signed overrun, bytes = 84
This error may occur when the -alias parameter is omitted from the import command. Ensure you import the certificate into the keystore using the command:
keytool -import -alias [keyentry_friendly_name] -trustcacerts -file mycert.crt -keystore [keystore_name]
Be sure to specify the correct keystore name and keyEntry alias (friendly name).